A Model of Attacks of Malicious Hosts Against Mobile Agents

Abstract

Mobile agents and other mobile code entities extend the potential of (stationary) distributed systems by the possibility of programs being executed at computers that are often not maintained by the employer of that program. Here two parties are involved in running a program, and thus guarantees have to be given that one party will not harm the other. Especially the aspect that a mobile agent has to be protected against attacks of the executing party, or host, exists even in modest applications, and in those of the the electronic commerce domain. Furthermore, this problem is regarded to be very difficult as there are currently only two approaches that try to solve this problem entirely. Another difficulty in finding a solution for this problem, is that - contrary to some other system mechanisms for mobile agents - it is not enough to just propose a mechanism that seems to solve the problem, but a formal proof has to be given that the solution holds. The paper therefore proposes a model of attacks that can be used by malicious hosts against mobile agents. It is intended to be the basis for a formal analysis of single attacks and of the strength of potential protection mechanisms.

For that purpose, a set of requirements for such a model is presented. Using an existing machine model, namely Random Access Stored Program plus Stack machines (or RASPS), an attack model that fulfils these requirements is described. In this model, the components of the execution process can be accessed from outside. This fact is used by another machine that executes an attack program to control the execution of an agent program. The attack model can be used for two main purposes. The first purpose is the demonstration of the problem of malicious hosts. Contrary to e.g. data encryption problems, mobile agents are subject not only to a single, but a whole set of possible attacks by the host and it is currently not even clear whether all of these attacks are already identified. The attack model can be used to write an attack program that tries to perform a certain attack. The second purpose of the model is to offer a basis for proving the strength of the protection scheme of algorithms that try to protect agents from malicious hosts. It is pointed out that not only a protection algorithm needs to be secure but also the code it produces must be protected. The full paper can be accessed using the URL http://www.informatik.uni-stuttgart.de/ipvr/vs/projekte/mole/simc98.ps.gz.

This work was funded by the Deutsche Forschungsgemeinschaft (DFG)